Check: PHTN-67-000013
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000013
(in versions v1 r6 through v1 r1)
Title
The Photon operating system audit log must log space limit problems to syslog. (Cat II impact)
Discussion
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000344-GPOS-00135
Check Content
At the command line, execute the following command: # grep "^space_left_action" /etc/audit/auditd.conf Expected result: space_left_action = SYSLOG If the output does not match the expected result, this is a finding.
Fix Text
Open /etc/audit/auditd.conf with a text editor. Ensure that the "space_left_action" line is uncommented and set to the following: space_left_action = SYSLOG At the command line, execute the following command: # service auditd reload
Additional Identifiers
Rule ID: SV-239085r856038_rule
Vulnerability ID: V-239085
Group Title: SRG-OS-000046-GPOS-00022
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000139 |
The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure. |
CCI-001858 |
The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur. |